How Citrix’s First CSO Addressed Internal IT Security Issues

Stan Black, Citrix's first CSO, says he implemented a more consistent and uniform approach to how every function at Citrix consistently protects the business.

SHARE

SHARE

Last month, I wrote a post about Stan Black, chief security officer at Citrix Systems, who argued that just treating the symptoms of your cybersecurity ills won’t cure them, and that instead, you need to address the cause. What’s worth elaborating upon in this follow-up is what Black had to say about how he addressed Citrix’s own IT security issues.

I opened this portion of my interview with Black by asking him what he has had to fix at Citrix since joining the company as CSO a little over three years ago. His response:

A lot of things. Well, I don’t know that fixing is the right term. I’m Citrix’s first CSO, and what we have implemented is a more consistent and uniform approach to how every function at Citrix consistently protects the business. Many businesses, whether they’re a technology company or a heavily regulated institution, have varying levels of protection. It’s my opinion that we are part of our customer’s supply chain, and therefore every facet of our business needs to be consistently protected. Now, some items are far more sensitive than others, so you need levels. But I wouldn’t say it’s what I have fixed — it’s consistency that we have established, whether it’s product security, operational security or cloud security. We also do geopolitical and threat risk modeling; we make sure our people around the globe are safe, and that we have the ability to reach out to them in the event of an incident. So it’s a fairly broad spectrum. I’m responsible for product security, operational security, and the safety of our people.

Essentially, our own technologies eliminated the need to add on security layers. Virtualized data doesn’t leave the building; I don’t have to protect it. If inside a container, you’re only allowed to go to authorized locations and communicate with authorized people — in other words, whitelist — then I don’t have to worry about blacklist, do I? So the 30 percent — actually 30-plus percent now — is simplification. There are technologies that do detection, but I prefer prevention. So the detection type of technology, I have greatly reduced.

Make sure that we keep all systems at Citrix protected in a consistent fashion — it goes back to simplification. But do you want to know what I really learned from that? That truth in some media forms is not necessarily important to what they print or communicate. Because that event was about as benign as they come, but those reports significantly increased the amount of cyber-attention I received globally, to the tune of over 330 percent.

Especially throughout Europe, how security is looked at is actually tied more consistently to privacy. Many of my counterparts throughout Europe look at security and privacy hand-in-hand. So really, it’s not that they are different, but the perception is a little bit different in how they are measured, and what is critical — privacy being top of mind throughout much of Europe. My view on that is, it’s my opinion that the world “privacy” incorporates security, it incorporates compliance. So it protects the business, it protects the technology, and it protects identities and accounts and things of that nature. So I don’t see how they can be bifurcated.

The survey found that 80 percent of the respondents cited attacks from nation-states as what they consider to be the No. 1 security risk. I asked Black if he believes that nation-states are indeed the No. 1 risk, or if that was just top of mind with the respondents because there’s been so much in the press about it recently. He indicated that what’s important is that the focus on nation-states doesn’t blind anyone to the harm generated by the criminal element:

Nation-states have the most resources; organized crime has the highest aptitude for highly targeted activities. So they’re in it for profit; nation-states are in it not necessarily for profit, but for disruption, and for intelligence-gathering, whether it’s an aircraft design or highly cleared people in the government, or whatever the data may be. So that’s why if you look at the 56 billion unauthorized probes that hit my perimeter every quarter, much of the traffic comes from sources that would be put into the category of nation-state — probably 75 percent is a rough estimate. But I would also say that another significant percentage is a mix that goes across the nation-states, that is a mix of government-driven and criminal entity-driven.

A contributing writer on IT management and career topics with IT Business Edge since 2009, Don Tennant began his technology journalism career in 1990 in Hong Kong, where he served as editor of the Hong Kong edition of Computerworld. After returning to the U.S. in 2000, he became Editor in Chief of the U.S. edition of Computerworld, and later assumed the editorial directorship of Computerworld and InfoWorld. Don was presented with the 2007 Timothy White Award for Editorial Integrity by American Business Media, and he is a recipient of the Jesse H. Neal National Business Journalism Award for editorial excellence in news coverage. Follow him on Twitter @dontennant.

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.